Pierluigi Paganini
February 24, 2025
An unknown actor, named ExploitWhispers, leaked Matrix chat logs of the Black Basta ransomware gang revealing internal conflicts, and exposing member details and hacking tools as the gang reportedly collapses.
ExploitWhispers first uploaded the chat messages on MEGA, then also uploaded them to Telegram.
The leaked archive includes Black Basta’s internal chat messages from September 18, 2023, to September 28, 2024.
PRODAFT researchers reported that Black Basta has been largely inactive in 2025 due to internal conflicts, ransom scams, and ineffective ransomware. Key members left for other groups, and a major chat log leak on February 11 exposed their operations, allegedly due to attacks on Russian banks.
“BlackBasta’s internal chats just got exposed, proving once again that cybercriminals are their own worst enemies. Keep burning our intelligence sources, we don’t mind.” wrote PRODAFT on X.
“As part of our continuous monitoring, we’ve observed that BLACKBASTA (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors.” added the experts.
Their ransomware is also considered less effective compared to other major groups. Earlier this year, key members left BLACKBASTA to join Cactus (Nurturing Mantis) ransomware or other cybercriminal groups. The internal conflict was driven by “Tramp” (LARVA-18), a known threat actor who operates a spamming network responsible for distributing QBOT. As a key figure within BLACKBASTA, his actions played a major role in the group’s instability.
On February 11, 2025, a major leak exposed BLACKBASTA’s internal Matrix chat logs. The leaker claimed they released the data because the group was targeting Russian banks. This leak closely resembles the previous Conti leaks.”
The leaked Black Basta chat logs reveal insights into the gang’s operations, tactics, and tools. Researchers found they prioritized VPN exploits and maintained a shared victim spreadsheet. One member was identified as a 17-year-old. Messages indicate a blunt, high-pressure work environment.
Researchers from VX-underground analyzed the leaked Black Basta chat logs and reported they reveal insights into their operations, including skepticism towards LockBit, recruitment concerns about Dispossessor ransomware group, and interest in VPN exploits. One member is a 17-year-old. They use social engineering, maintaining a spreadsheet of targets and prioritizing industries like electrical and financial firms. Their workflow includes tricking victims into executing malicious files that connect to a C2 server, enabling ransomware deployment or remote access. A private loader was offered to them for $84,000/month.
The leaked messages from Black Basta convey a direct and harsh tone, with members mocking failures and emphasizing deadlines. Their workflow relies on social engineering to deliver malicious HTA files that connect to their server for payload deployment. Victims typically have 10-12 days to pay the ransom before their stolen data is published.
The researcher Suyesh Prabhugaonkar identified 367 unique Zoom links, domains, and IPs used by Black Basta. The gang exploited weak credentials, unpatched vulnerabilities, and social engineering for initial access. They rotated infrastructure to avoid detection and tested payloads. Key player GG (Trump), likely leader Oleg Nefedov, was involved in delegating tasks, tracking performance, and applying pressure on deadlines, according to Prodaft.
In May 2024, the FBI, CISA, HHS, and MS-ISAC issued a joint Cybersecurity Advisory (CSA) regarding the Black Basta ransomware activity as part of the StopRansomware initiative.
Black Basta has targeted at least 12 critical infrastructure sectors, including Healthcare and Public Health. The alert provides Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) obtained from law enforcement investigations and reports from third-party security firms.
Black Basta ransomware-as-a-service (RaaS) has been active since April 2022, it impacted several businesses and critical infrastructure entities across North America, Europe, and Australia. As of May 2024, Black Basta has impacted over 500 organizations worldwide.
“Black Basta is a ransomware-as-a-service (RaaS) variant, first identified in April 2022. Black Basta affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia.” reads the CSA.
In December 2023, Elliptic and Corvus Insurance published a joint research that revealed the group accumulated at least $107 million in Bitcoin ransom payments since early 2022. According to the experts, the ransomware gang has infected over 329 victims, including ABB, Capita, Dish Network, and Rheinmetall.
The researchers analyzed blockchain transactions, they discovered a clear link between Black Basta and the Conti Group.
In 2022, the Conti gang discontinued its operations, coinciding with the emergence of the Black Basta group in the threat landscape.
The group mainly laundered the illicit funds through the Russian crypto exchange Garantex.
“Black Basta is a Russia-linked ransomware that emerged in early 2022. It has been used to attack more than 329 organizations globally and has grown to become the fourth-most active strain of ransomware by number of victims in 2022-2023.” reads the Elliptic’s report. “Our analysis suggests that Black Basta has received at least $107 million in ransom payments since early 2022, across more than 90 victims. The largest received ransom payment was $9 million, and at least 18 of the ransoms exceeded $1 million. The average ransom payment was $1.2 million.”
Most of the victims are in the manufacturing, engineering and construction, and retail sectors. 61,9% of the victims are in the US, 15.8% in Germany, and 5.9% in Canada.
Some of the victims’ ransom payments were sent by both Conti and Black Basta groups to the gang behind the Qakbot malware.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
